Month: November 2009

Washington Post columnist Brian Krebs did a great piece “Eight tips for safe online shopping.” His list:

1. Shop with a credit card, not a debit card

2. Keep track of your receipts.

3. Shop from a locked-down PC.

4. Look for the SSL sign/padlock in the browser’s address bar.

5. Avoid bargain-basement shopping online.

6. Double-check those shipping policies.

7. Read the fine print (Being in a hurry when you make a Web purchase can cause you to ‘sign up’ for unwanted offers).

8. Shopping online at work could be hazardous to your career. (If your employer’s acceptable use policy precludes shopping during working hours, you might find yourself on the “downsize” list.)

Column here.

Tom Kelchner

If you’re searching for videos of the infamous Adam Lambert AMA kiss, Ortiz vs. Griffin or Jennifer Lopez at the AMAs, a twist in fraud has come to YouTube, this time in the form of a fake message on a video itself telling the user to go to another site.

This message has nothing to do with YouTube. In fact, it’s pushing users to a dodgy site, watchama2009. tk, which is actually a front for Satellite Direct TV.

Alex Eckelberry
(Thanks, Calvin)

Someone put up a fun site in October. The “Mystery Google” search page gives you the search results of the person who did a search before you. The results can be… ahem… interesting. I tried it out with the word “Russia.”

Here was the previous person’s search. I’m not sure what was up, but I sense a bit of hostility:

Unfortunately, this could be used by rogue security product vendors or other malicious operators to direct victims to their sites. They’d only need to set up sites with drive-by malware then create an automated agent to do a whole lot of Mystery Google searches for terms that would hit those sites.

So, if you play with it, be careful where you go after the first screen.

Here is the whois info:

Domain Name: mysterygoogle.com

   Registrant Contact:
      mysterygoogle.com Private Registrant
      A Happy DreamHost Customer
      417 Associated Rd #324
      Brea, CA 92821
      US
      +1.2139471032

     mysterygoogle.com@proxy.dreamhost.com

   Record created on 2009-10-02 10:13:25.
   Record expires on 2010-10-02 10:13:25.

Thanks to Alex and Chaim Rieger on funsec

Tom Kelchner

Britain has stored the DNA profile of 5.9 million people, which is about 10 percent of the country’s population. It’s been estimate that as many as one million of those whose information is in the database since it was started in 1995 have never been convicted of a crime.

The group Genewatch has pointed out that the database contains records on 30 percent of the country’s black population – a much higher proportion than the general population. Records of about one million children are also stored..

The government announced earlier this month that DNA records of adults who were not convicted of any crimes would be removed after six years. Terror suspects’ details, however, would be kept indefinitely. Data from juveniles who were found not guilty of any serious crime would be kept for three years — six years if they are 16 or 17 years old.

Previously, the government kept for life DNA samples from anyone arrested by police in England, Wales and Northern Ireland.

The European Court of Human Rights has called the life-time retention policy “blanket and indiscriminate.” In Scotland, the DNA profiles of those arrested for serious crimes are kept for three to five years. Profiles taken in more minor cases have been destroyed.

Defenders of the system point to successful investigations. Matches were found at 390,000 crime scenes between April 1998 and September 2008. Last year investigators found 17,614 matches, including those in 83 murder investigations and 184 rape investigations.

Story here: The Big Question: Why is Britain’s DNA database the biggest in the world, and is it effective?

Tom Kelchner

I was interviewed by the CBC last night. You can see it at about the seven minute mark here.

Nothing stellar or exciting. Just me on Skype talking about malware and child porn. I think I scared the newscaster though with my comments about P2P 😉

Alex Eckelberry

It’s become a sort of intermittent tradition here to upload buckets of screen shots of rogue antivirus programs.

So here’s a perspective for 2009, loaded on my Flickr account.

Acknowldgement to Patrick Jordan, in our malware research team.

Alex Eckelberry

The holiday shopping season will kick off in earnest on Friday – named “Black Friday” because that’s the date that many businesses traditionally go into the black for the year.

Another tradition is an uptick in Internet fraud, scams and hacks.

Social engineering will probably be the biggest danger to look for. Just like any other shopping day of the year, if the deal seems too good to be true, it probably is.

Expect rogue security products to be “on sale” in spam email, messages from social networking sites or web sites. To check if a product is a rogue, just search for its name on the Sunbelt Rogue Blog page here.

Fraudulent sites that are set up to steal your credit card and other identity information are also a serious threat.

Search Engine Optimization techniques will be big this year. Internet thieves will be pushing their sites high into the placement of search engine results. So, if you go looking for something like “black Friday sales” in a search engine, take a look at the URL before you click on it.

I just did it and found one listing with an “.fm” top-level domain. Interesting. Who in the Federated States of Micronesia is holding a major holiday sale? Malicious sites often are registered in such places because of a lack of regulation.

The .cn top level domain is another one to keep an eye out for. It’s the domain for China. A vast number of compromised machines there are used for all kinds of scams.

Another easy trick: do some research and check how long the web site you’re considering purchasing from has been in existence. Cut and paste its URL into http://www.whois.net/ and look for the line “created on…”. If a site has been created in the last few days, be very careful. Legitimate sites certainly can be registered and go on line at any time, however, malicious sites are usually new. They get taken down as soon as their ISPs discover fraud or malware, so, they don’t last long.

Basically, to protect yourself:

— Use common sense: it the deal seems to be too good to be true, it probably is.
— Don’t make on-line purchases from untrusted sites.
— Keep the anti-virus scanner on your PC up to date with the latest signatures if you don’t have the auto-update feature turned on. If you don’t have AV, Sunbelt Software is offering Black Friday and Cyber Monday specials on VIPRE. Read about them here.
— Be sure your Windows operating system has the latest updates.
— Be sure your web browser is updated. It would be best to upgrade to Internet Explorer 8 since unpatched vulnerabilities have been reported in IE 6 and 7 in the last few days.
— Be sure your Adobe Acrobat or Reader are up-to-date. There have been a number of recent vulnerabilities reported in them.
— Don’t make purchases from sites that are advertised by spam email.

Tom Kelchner

You don’t often (if ever) see emails asking for login credentials to a tiny (albeit respectable) college.

Given that Hampshire College has under 2,000 students, one wonders exactly what the phishers are aiming for.

Alex Eckelberry

Sunbelt is offering a Black Friday special for those of you anticipating those usual holiday-linked malware attacks: a single one-year subscription license for VIPRE for $9.95.

Go to www.vipreantivirus.com/blackfriday to take advantage of this deal.

Also, on Cyber Monday (November 30th), Sunbelt is offering a one-year, unlimited, home site license subscription for $19.95. The Cyber Monday special pricing is only available on Monday, November 30, 2009. Go to www.vipreantivirus.com/cybermonday for more information.

Full company propoganda here.

Tom Kelchner

Windows IT Pro has VIPRE Enterprise named as the top antimalware product, chosen by system administrators (the “Community Choice” award).

Our good friends at ESET and Trend also made the cut:

Eric Howes drew my attention to this application several weeks ago and I’ve been using it to analyze End User License Agreements (EULA) ever since.

To work it, you click “analyze,” cut and paste the text of a EULA into a text box “License Agreement to Analyze” and click the “analyze” button. It will find key words and phrases and display them in a nicely organized fashion with an “Interest Level” rating (0=low interest, 10=something you should probably think about). Click the icons to the right of the ratings and it pulls up and highlights the text in the “License Agreement Text” text box.

It flags the relevant text under the categories:
— advertising
— privacy; web bugs
— privacy; Zip/postal code
— promotional messages
— third party
— without notice

Clicking on any of those headings in the display drops down a list of “hits” that you can explore further.

There aren’t any “help” menus and some of their terms could use further definition (“a healthy read” apparently means that the EULA isn’t too short or too long), but it’s mostly intuitive.

EULAlyzer doesn’t really say something is “good,” “bad” or “ugly” but it does draw your attention to text that should be of “high interest” to you.

You can analyze instantly a 20-page EULA and discover statements like: “When individuals use the Internet, the Network uses such persons’ Individual Information to show advertising for products and services in which those users have expressed an interest, whether directly or indirectly.”

“Expressed an interest… indirectly” sounds to me like either browser monitoring or verbiage from the middle school dating scene.

Go here to get the freeware, or buy the “pro” version.

Tom Kelchner

A new spam campaign is currently hitting mailboxes.

Samples include:

Text:

Hey, some jerk has posted your pictures (u understand what kind of pictures are there) and sent a link of them to all ur friends. I have already replied back. Said, that he is an idiot. See the link:

A link points to a site, pushing a download.

The download is actually a Zbot installer (VT results showing fairly weak detection).

Alex Eckelberry

There are a huge number of news stories in Chinese and a few in English on the Web today about a worm that apparently is spreading rapidly in China. The Inquirer is quoting the National Computer Virus Emergency Response Centre in Tianjin, China, saying that Worm_Piloyd.B is spreading rapidly, that it infects exe, html, and asp files and blocks attempting to fix them. The centre’s English web page seems to be about a week behind, so, we couldn’t get the original notice.

The Inquirer said Piloyd probably was being used to expand a botnet.

Western AV companies have listed detections for the malware since last summer or fall. Names include:

AVG: Worm/Generic.AOFP
F-Secure: Worm.Generic.90951
Kaspersky: Net-Worm.Win32.Piloyd.g
Microsoft: TrojanDownloader:Win32/Jadtre.A
Sophos: W32/Autorun-ASW
Sunbelt: Trojan-Downloader.Win32.Sfn!cobra (v)
Symantec: Adware.Lop
TrendMicro: WORM_STRAT.GEN-3

VIPRE and a number of the others catch it with heuristic detections.

Story here: “China warns of a new virus”

Tom Kelchner

PCAuthority just carried a great feature “Top 10 issues overloading IT managers,” that everyone should read. Nearly all of us who work with these demon machines depend on the IT folks. There are a lot of things we can do to make their lives easier (or at least not make their lives more hellish.)

The ten issues are:

10. Cloud integration (is waaaay complicated and must be done right. Integrating with local resources is both a technical and management issue.)

9. Internal/external data breaches (Think new technology, new hacks, external bad actors and internal bad actors. Oh yea, and consider the clueless twits who click on malicious attachments in spam.)

8. OS migration (W-I-N-D-O-W-S-7. This is really ugly if the enterprise opted out of Vista. Migration from WinXP to Win7 is serious work.)

7. Patch deployment (A big job that is made bigger by more users plus more work stations plus more software plus virtualized machines times more malware that is more dangerous.)

6. Remote workers (Those using their own machines are a real pain.)

5. Compliance (Regulatory acts like Sarbanes-Oxley and HIPAA as well as local and federal laws mean that most companies are holding onto more data.)

4. Over management by non-IT staff (They just don’t understand, especially the sales folks who promise customers the impossible.)

3. Virtualization (This offers great benefits and great complexity)

2. Storage (Adding drives isn’t the answer.)

1. Budget constraints (recession = do more with less.)

The writers also give honorable mention to:

— Web management (Regulating on-the-job gaming, porn browsing, Facebook, Twitter and such should be a management responsibility.)

— Integration of Web 2.0 tools (Blogs, wikis and social networks are useful internal tools, but they are work for IT)

As I write this, our IT staff is struggling to replace a major email server. Of course it started acting up late Saturday night.

Tom Kelchner

Buzz wrong!

URL leads to banking Trojan downloader

Tom Kelchner

Let’s see, have we heard this point-counterpoint before?

Statement: “64-bit Windows has some of the lowest reported malware infection rates in the first half of 2009,”(Joe Faulhaber of the Microsoft Malware Protection Center).

Counter statement: yes, but pretty soon that’s going to change.

Statement: 64-bit Windows is a different operating system, so, the malware writers don’t know how to write code that can run in it.

Counter statement: yes, but that doesn’t mean it’s any more secure. It just has a smaller market share, so it’s more efficient for malware writers to go after the more common OS. They could if they wanted to.

Statement (opposite side taking the offensive): What about Trojans?

Counter statement: yes, but that’s social engineering. It isn’t based on the weakness of the operating system, it’s based on weakness in the human factor.

Statement: “Infection rates for the 64-bit versions of Windows XP and Windows Vista are lower than for the corresponding 32-bit versions of those platforms, a difference that might be attributable to a higher level of technical expertise on the part of people who run 64-bit operating systems.”( Microsoft Security Intelligence Report)

Counter statement: “This difference may be expected to decrease as 64-bit computing continues to make inroads among mainstream users.” (same report)

Gee, this almost sounds like the argument about Apple’s various operating systems that’s been running since about 1995. (Oh! Did I say that out loud?)

Here’s a perspective from Sunbelt Software Chief Technical Officer Erick Sites:

“Most malware uses some type of driver or thread injection. None of these (existing) types of malware are going to work on a 64-bit system. It’s not because 64-bit is any more secure, which is what Microsoft is hinting at.”

Computer World story here.

Tom Kelchner

Wow. Patrick Jordan just noticed that the new rogue security product EchoAntivirus 2010 is pretty pricey! $99.99.

VIPRE is a much better buy at $29.95

And VIPRE is a real product!

Tom Kelchner

Washington Post columnist Brian Krebs is reporting that the U.S. Food and Drug Administration (FDA) is moving to shut down 136 Internet pharmacy web sites that have been selling counterfeit drugs or those not approved by the FDA.

The FDA office of criminal investigations has sent warning letters to the site operators and notified their ISPs that they were selling the pharmaceuticals illegally.

According to his column, the sites, which claim to be in the U.S. or Canada, are really in India and have connections to Russia. Those notified by the FDA are all affiliates of Rx-commission.com, one of dozens of pharmacy affiliate organizations. Rx-commission.com chiefly attracts customers to its sites by search engine optimization techniques.

There could be as many as 55,000 such pharmacies on the web.

Krebs column here.

Clearly this is a daunting task, going after all 55,000 sites. The FDA has joined the U.S. Federal Trade Commission and the FBI in this country in taking on the vast amount of Internet lawlessness and there seems to be motion in other countries as well.

Police in Estonia last month arrested some of the men indicted by an Atlanta, Ga., grand jury in the $9 million hack of credit-card processing vendor RBS. Police in Hong Kong and Netherlands also were part of the investigating team and helped arrest two people for withdrawing RBS WorldPay funds from ATMs in Hong Kong.

Also last month, the head of Nigeria’s Economic and Financial Crimes Commission announced the arrest of 18 scammers and shutdown of 800 email accounts they were using. She promised a continuing crackdown.

Tom Kelchner

Chat networks and blogs are being used to lure movie fans to malicious sites promising: “Watch New Moon Full Movie,” according to LastWatchDog.com blogger Byron Acohido.

The much anticipated movie “New Moon” is due to open tomorrow.

The malicious operators are using search engine optimizations techniques to lure “New Moon” fans to sites with malicious downloads of a rogue security product and bot malware. If a victim goes to the site he or she is told to download a viewer called “streamviewer” to watch the movie. The download is a Trojan and they get infected.

For those who’ve already infected themselves, he quotes Sunbelt Chief Technical Officer Eric Sites:

”For anyone whose PC is already hopelessly infested with scareware and/or other infectious programs, Sunbelt Software’s free deep scanning tool could be a godsend. VIPRE Rescue can neutralize many of the nastiest scareware promos, rootkits and keyloggers lurking on your hard drive, and bogging down your machine’s performance.

“VIPRE Rescue makes it easy to wipe out infections on a nearly inoperable computer, often times enabling successful repair, as well as installation of necessary security applications to prevent these infections from happening in the future.”

LastWatchDog.com post here.

Tom Kelchner

Hard drive lifetime

Good estimate – three years, maybe more. Higher rate of failure in the first year. (Clearly, mileage varies with usage)

Many of us have experienced the failure of a hard drive or we’ve known someone who did. It’s the life experience that answers the question: “how often should I back up my files?”

Manufacturers publicize the expected lifetime for hard drives. It’s called Mean Time to Failure (MTTF). There have been studies that suggest they either overestimate or underestimate the expected life time, though.

A paper given at the 5th USENIX Conference on File and Storage Technologies in 2007, “Disk failures in the real world: What does an MTTF of 1,000,000 hours mean to you?” suggests that drives have about a three-year average lifetime. However, there is a slightly a more complex picture of their life cycle.

Bianca Schroeder and Garth A. Gibson of Carnegie Mellon University, said their research suggested that the average lifetime of about three years could be expected, however, they also found a “bathtub-shaped” curve. Drives failed at a higher rate in their first year of use, failed at a slower rate for years 1-5, then failed at a higher rate after five years.

Schroeder and Gibson studied data on about 100,000 disks from large production systems.

Paper here.

Since the most common part of a machine to fail is the hard drive (power supplies are up there too) it is instructive to look at stories on rates of machine repairs.

Laptop lifetime

About a third will fail in three years with one chance out of three that you cause the failure by doing something like dropping it down the steps.

San Francisco-based SquareTrade, which bills itself as the “largest independent warranty provider” published a study of 30,000 laptops this week. They summarized their findings:

“Looking at the first 3 years of ownership, 31% of laptop owners reported a failure to SquareTrade. Two-thirds of this failure (20.4%) came from hardware malfunctions, and one-third (10.6%) was reported as accidental damage.”

Study here.

Desktop lifetime

There is a seven-21 percent chance your machine will need repairs in the year.

PC magazine did a survey of readers’ experiences with desktop computers and ask if the respondent’s machine needed repairs “in the last year.” This is really a customer satisfaction piece, but, we can pull some rough numbers from it on rates of repair

Article here.

Now, go backup your files.

Tom Kelchner